Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Kerio Connect redirects from HTTPS to HTTP
  •  
JeroenW

Messages: 13
Karma: 0
Send a private message to this user
We are using WinGate as an edge firewall. We want to migrate from Exchange to Kerio Connect. WinGate is configured as a reverse proxy for Kerio Connect. The proxy server is listening on HTTPS. It requests client certificates and then proxies the requests to HTTP port 80 on the Kerio Connect server.
When visiting webmail on HTTPS, clients get redirected back to plain HTTP! When I change the URL back to HTTPS and log in, I am again redirected to HTTP. I actually want it the other way around but configuring the proxy this way will result in an endless loop because of this behaviour.
How can disable this redirection in Kerio Connect or otherwise fix this?

Thanks in advance!
  •  
Pavel Dobry (Kerio)

Messages: 5163
Karma: 245
Send a private message to this user
I think that this requires better configuration of proxy server. If it terminates HTTPS connection and then translates it to HTTP then it must also rewrite URLs in redirects made by target server from HTTP to HTTPS. Kerio Connect has no information that your HTTPS connection ends on a proxy server. Kerio Connect does not allow redirect from HTTPS to HTTP. In fact, it can do the opposite.
So any redirect from secure to not secure protocol is due to misconfiguration of proxy server.

Knowledge Base: http://kb.kerio.com/.
Technical support: http://www.kerio.com/support
------------------
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
JeroenW

Messages: 13
Karma: 0
Send a private message to this user
Thank you for your quick response.

Unfortunately I don't understand what I need to change on the proxy server. It works flawlessly on other web applications I publish like Exchange and Kaseya. I think Kerio Connect redirects back to HTTP on purpose because it is accessed through HTTP and has no knowledge of the HTTPS connection I make to the proxy server. Can you tell me how to disable this redirection or what I can do on the proxy server to prevent it?
  •  
Brian Carmichael (Kerio)

Messages: 602
Karma: 61
Send a private message to this user
In Kerio Connect the setting to force secure connections is located in the security section -> security policy.

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
JeroenW

Messages: 13
Karma: 0
Send a private message to this user
Thanks, but that option also results in an endless loop, I think because HTTPS requests reach Kerio Connect on its HTTP service that will redirect them to HTTPS.
  •  
JeroenW

Messages: 13
Karma: 0
Send a private message to this user
I really need this to work since Kerio Connect does not seem to be able to request client certificates. If client certificates cannot be requested, I cannot make Kerio Connect compliant with our company's security policy. This would be a shame because I like Kerio Connect very much because it is easy to administer and especially to troubleshoot and it has many features that we have missed in Exchange (2007) and every time I said Kerio Connect could do the trick.

Can anyone please tell me how to disable this redirection? Maybe in some configuration file? Or is there a way to make Kerio Connect request client certificates?
  •  
clan

Messages: 224
Karma: 21
Send a private message to this user
If you set Kerio to force secure connections it will redirect access on port 80 to https on port 443. If Kerio is accessed on port 443 it should not redirect to http.
Did you check Kerios debug log?
  •  
JeroenW

Messages: 13
Karma: 0
Send a private message to this user
I think that is what Brian said. I tried that and that also results in an endless loop. I think because HTTPS requests reach Kerio Connect on its HTTP service that will redirect them to HTTPS which will again reach the HTTP service and be redirected again and so on.

When accessing webmail without requiring secure authentication I get this debug log:
[13/Apr/2016 13:56:53][1900] {https} Task 399 handler BEGIN
[13/Apr/2016 13:56:53][1900] {https} Task 399 handler starting
[13/Apr/2016 13:56:53][1900] {https} HTTP connection from 88.159.4.249:3632 started
[13/Apr/2016 13:56:53][1900] {https} GET request for URI /webmail/
[13/Apr/2016 13:56:53][1900] {https} User-Agent header: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
[13/Apr/2016 13:56:53][1900] {https} Found dispatcher for url /webmail/ with service id 80.
[13/Apr/2016 13:56:53][1900] {https} Response: HTTP/1.1 302 Found
[13/Apr/2016 13:56:53][1900] {https} Request finished in 0.02 s, received 288 bytes, sent 282 bytes
[13/Apr/2016 13:56:53][1900] {https} GET request for URI /webmail/login/
[13/Apr/2016 13:56:53][1900] {https} User-Agent header: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
[13/Apr/2016 13:56:53][1900] {https} Found dispatcher for url /webmail/login/ with service id 80.
[13/Apr/2016 13:56:53][1900] {https} Response: HTTP/1.1 200 OK
[13/Apr/2016 13:56:53][1900] {https} Request finished in 0.00 s, received 294 bytes, sent 2222 bytes
[13/Apr/2016 13:56:53][1900] {https} Task 399 handler END
[13/Apr/2016 13:56:53][1344] {https} Task 400 handler BEGIN
[13/Apr/2016 13:56:53][1344] {https} Task 400 handler starting
[13/Apr/2016 13:56:53][1344] {https} HTTP connection from 88.159.4.249:3633 started
[13/Apr/2016 13:56:53][1344] {https} GET request for URI /webmail/generatedDefaults.js
[13/Apr/2016 13:56:53][1344] {https} User-Agent header: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
[13/Apr/2016 13:56:53][1344] {https} Found dispatcher for url /webmail/generatedDefaults.js with service id 80.
[13/Apr/2016 13:56:53][1344] {https} Response: HTTP/1.1 200 OK
[13/Apr/2016 13:56:53][1344] {https} Request finished in 0.00 s, received 342 bytes, sent 876 bytes
[13/Apr/2016 13:56:58][2976] {https} Task 84247 handler END


And when requiring secure authentication I get this debug log:
[13/Apr/2016 14:15:58][164] {https} Task 405 handler BEGIN
[13/Apr/2016 14:15:58][164] {https} Task 405 handler starting
[13/Apr/2016 14:15:58][164] {https} HTTP connection from 88.159.4.249:8562 started
[13/Apr/2016 14:15:58][164] {https} HTTP request from 88.159.4.249 (GET /webmail/login/) redirected to HTTPS because of security policy.
[13/Apr/2016 14:15:58][164] {https} Task 405 handler END
[13/Apr/2016 14:15:58][2056] {https} Task 406 handler BEGIN
[13/Apr/2016 14:15:58][2056] {https} Task 406 handler starting
[13/Apr/2016 14:15:58][2056] {https} HTTP connection from 88.159.4.249:8563 started
[13/Apr/2016 14:15:58][2056] {https} HTTP request from 88.159.4.249 (GET /webmail/login/) redirected to HTTPS because of security policy.
[13/Apr/2016 14:15:58][2056] {https} Task 406 handler END
[13/Apr/2016 14:15:58][164] {https} Task 407 handler BEGIN
[13/Apr/2016 14:15:58][164] {https} Task 407 handler starting
[13/Apr/2016 14:15:58][164] {https} HTTP connection from 88.159.4.249:8564 started
[13/Apr/2016 14:15:58][164] {https} HTTP request from 88.159.4.249 (GET /webmail/login/) redirected to HTTPS because of security policy.
[13/Apr/2016 14:15:58][164] {https} Task 407 handler END
[13/Apr/2016 14:15:58][2056] {https} Task 408 handler BEGIN
[13/Apr/2016 14:15:58][2056] {https} Task 408 handler starting
[13/Apr/2016 14:15:58][2056] {https} HTTP connection from 88.159.4.249:8565 started
[13/Apr/2016 14:15:58][2056] {https} HTTP request from 88.159.4.249 (GET /webmail/login/) redirected to HTTPS because of security policy.
[13/Apr/2016 14:15:58][2056] {https} Task 408 handler END
[13/Apr/2016 14:15:58][164] {https} Task 409 handler BEGIN
[13/Apr/2016 14:15:58][164] {https} Task 409 handler starting
[13/Apr/2016 14:15:58][164] {https} HTTP connection from 88.159.4.249:8566 started
[13/Apr/2016 14:15:58][164] {https} HTTP request from 88.159.4.249 (GET /webmail/login/) redirected to HTTPS because of security policy.
[13/Apr/2016 14:15:58][164] {https} Task 409 handler END

...and so on until the browser detects the endless loop.

I noticed the log always says {https} even if I visit the HTTP service directly. First I thought Kerio Connect somehow knew my browser was using HTTPS but I guess that's not the case.
  •  
clan

Messages: 224
Karma: 21
Send a private message to this user
I am a bit confused now, does it work without requiring secure connections to Kerio? Then don't set the option. The connection is not encrypted between proxy and Kerio. Is there a setting in the proxy to set up a secure connection to the server?

This:
[13/Apr/2016 14:15:58][164] {https} HTTP request from 88.159.4.249 (GET /webmail/login/) redirected to HTTPS because of security policy.

shows that requests to http are redirected to https. If your proxy handles https requests, the redirected requests will never reach Kerio.
  •  
Pavel Dobry (Kerio)

Messages: 5163
Karma: 245
Send a private message to this user
{https} means "HTTP Server", not HTTPS.

I do not understand. If you use proxy to change connection from HTTPS to HTTP why did you configure Kerio Connect to require encrypted connection? If you want to use unencrypted HTTP connection from your proxy server you should not configure Kerio Connect to redirect HTTP connections to HTTPS because your proxy server is not capable to make HTTPS connection to Kerio Connect server.

Knowledge Base: http://kb.kerio.com/.
Technical support: http://www.kerio.com/support
------------------
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
JeroenW

Messages: 13
Karma: 0
Send a private message to this user
I only configured Kerio Connect to require secure authentication temporarily because Brian told me to and so did Clan.

I don't want to redirect anything, the plain HTTP service redirects clients to plain HTTP when they are using HTTPS through the proxy. That is the original problem.

I assume people using Kerio Control as reverse proxy for Kerio Connect will experience the same problem unless Kerio Control can forward requests to HTTPS, I can't using (this version of) WinGate. If Kerio Control can do this and request client certificates than it is going to replace this WinGate server which is quite old anyway. Smile

[Updated on: Thu, 14 April 2016 09:04]

  •  
Brian Carmichael (Kerio)

Messages: 602
Karma: 61
Send a private message to this user
I didn't advise enabling or disabling the option, I was only directing you to the location within the configuration which controls the behavior. In either case, your reverse proxy should be able to handle the configuration. I suggest that you reach out to WinGate for assistance on this issue. Otherwise, if you replace WinGate with Kerio Control then we will be able to better assist you with your reverse proxy configuration.

[Updated on: Thu, 14 April 2016 17:47]


Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
JeroenW

Messages: 13
Karma: 0
Send a private message to this user
Unfortunately, the option does not affect this specific behaviour. Qbik (WinGate) cannot possibly help me with this, I think it's a bug in Kerio Connect since I can't think of any scenario in which this could be useful.
If this can or will not be changed, I hate to say we'll have to find an alternative, unless client certificate support would be added to Kerio Connect (or Kerio Control) soon. Kerio Control does not seem to support client certificates. So unless I've missed it, Kerio Control is not a viable alternative to WinGate for us.

  •  
Pavel Dobry (Kerio)

Messages: 5163
Karma: 245
Send a private message to this user
Maybe you should share what HTTP headers are sent by WinGate to HTTP server behind it (Kerio Connect). If Kerio Connect has no idea that browser uses HTTPS how the server should redirect the user to HTTPS??
WinGate must rewrite Location HTTP header with correct hostname and protocol when doing reverse proxy. This is a basic functionality of every reverse proxy server.

Knowledge Base: http://kb.kerio.com/.
Technical support: http://www.kerio.com/support
------------------
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
JeroenW

Messages: 13
Karma: 0
Send a private message to this user
There are no HTTP headers modified or added by WinGate. Kerio Connect should not redirect to HTTPS, this option is not enabled. Kerio Connect redirects to HTTP instead of HTTPS and that is the problem, it should not redirect at all. I have not configured Kerio Connect to only accept certain host headers, I don't even know how to do that. Users reach Kerio Connect through the proxy using a hostname that internally resolves to the local IP address of the Kerio Connect server.

I can modify or add headers to be sent to the Kerio Connect server if required.
Previous Topic: Outlook 2016 on Windows with KC 9.0.2
Next Topic: "Inbox 1" in Outlook 2010 KOFF
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Thu Feb 23 05:55:15 CET 2017

Total time taken to generate the page: 0.03822 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.